sudoers

James Dugger james.dugger at gmail.com
Mon Jul 14 21:48:05 MST 2014 

Michael,

The following line:

     %sudo ALL=(ALL)  NOPASSWD:  ALL

literally means:

      ALL users in the sudo group can execute ALL commands as ALL users
from ALL places without a password.

Without any lines after this.  The only thing that you would need to do is
add users to the sudo group (/etc/group).  Thus the line:

     $ sudo useradd -G sudo <user>

The %sudo portion of the stanza tells Linux to look in the /etc/group file
for a line starting with "sudo" and include any users listed on that line
in the sudo group.  This way you don't have to add them individually as
separate lines in the sudoers file. For example lets say you have 3 users
(john, jane, sam) that you want to have sudo rights w/o a password. It
could be done in one of two ways:

1st- in sudoers

     jane ALL=(ALL)  NOPASSWD:  ALL
     john ALL=(ALL)  NOPASSWD:  ALL
     sam ALL=(ALL)  NOPASSWD:  ALL

or

2nd - in sudoers and /etc/group

     %sudo ALL=(ALL)  NOPASSWD:  ALL

in /etc/group

     sudo:x:##:john,jane,sam

Both work but programmatically the 2nd option eliminates redundant code
when writing scripts and allows the use of additional shell commands (and
arguably more simple ones) to be used to maintain file changes (i.e. sudo
useradd -a -G sudo <user>).  When scripting it is easier add the use of
usermod and useradd to a script than to use commands like sed -i and then
having to escape special characters like "%, (,  and )" when making changes
or updates.



On Mon, Jul 14, 2014 at 7:48 PM, Michael Havens <bmike1 at gmail.com> wrote:

> I was wondering: these are the instructions I was given to make it so I
> don't need to input my password after I sudo.
> ---
> sudo visudo
> <password>
>
> comment out the line:
>
>   %sudo ALL=(ALL:ALL) ALL
>
> and add a new line below it like this:
>
>   %sudo ALL=(ALL)  NOPASSWD:  ALL
>
>   sudo useradd -G sudo <user>
> ---
> I was thinking that with the script being like that I probably don't need
> the last line because the way it is I am telling it no one needs a password
> with sudo. It would probably be more secure to have:
>
>   %sudo ALL=(ALL)  NOPASSWD:  <desired users>
>
> is that correct? If I had multiple users who I wanted to not use a
> password would I separate the users with a space or comma? If I only wanted
> one user to be able to sudo  it would be:
>
>   %sudo <user>=(ALL)  NOPASSWD:  <user>
>
> what is the point of th ALL surrounded by parentheses?
> :-)~MIKE~(-:
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>



-- 
James

*Linkedin <http://www.linkedin.com/pub/james-h-dugger/15/64b/74a/>*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phxlinux.org/pipermail/plug-discuss/attachments/20140714/485eec8d/attachment.html>

More information about the PLUG-discuss mailing list